OPM Breach – What Was Taken?

The government seems to be avoiding telling us what information was taken.  This could be because they don’t know – or because they do know.  One speculation that keeps coming up, and that the OPM has not denied, is that the hackers got SF-86 data.  If that is true, that is a problem.  I will explain in a moment, but the OPM has admitted that the data was not encrypted.  Other people in the know have said that the government is focusing too much on perimeter security.  While perimeter security is important, it does little for the case where your employees invite the attackers in by, say,  clicking on a link.

The SF-86s, if they were compromised, would be the holy grail for attackers like China trying to build a database of federal government employees and contractors.  If you apply for a government security clearance, you fill out an SF-86.  In that form you tell the government about yourself – where you have lived, where you have worked, every family member, your friends, your references, etc.

While we don’t actually use the SF-86 form itself any more – eQIP, a web based system replaced it – the blank form is still available here.  I don’t know, but I suspect, that eQIP is just a web front end that generates and validated the data and then produces an SF-86 for the actual government process.

To give you an idea of how invasive the SF-86 is, the form itself is 127 pages long.

Besides information like your social , date of birth, place of birth, height, weight, other names you have used, citizenship information – including naturalization information if you became a citizen, where you went to school and even more information, it asks about any crimes you were convicted of.

It also asks for some of that information, like socials for your relatives, so all of a sudden, that 4 million identities becomes 40 million.  I am not clear if the OPM is going to notify all those people that their information has been compromised as well.

SO, if you are merely an identity thief, you know have a vast database of information that cannot get replaced like a credit card can be, of information to answer security questions and create false identities to commit crimes.

If you are a foreign power and you want to commit espionage, you now have the data to figure out who can be blackmailed and for what.

And, there is really NOTHING that you to protect yourself.

And, you cannot sue the government, no matter what happens.

It is really, pretty much, a mess.

Explain to me how 18 months of credit monitoring will help you against being blackmailed.   Or protect you from a identity thief using that information to get access existing financial resources.

I was reading about Lifelock after I wrote the post on identity protection services yesterday and their higher end plans ($220-$330 a year, if you buy in advance) do offer to monitor your checking and brokerage accounts, but they do not say how.  The only way I can see that working is if you give them access to your accounts.  If true, you are counting on them not being breached and, at least for my bank, they say that if you give someone access and there is fraud, the bank is no longer responsible to make you whole.  And even if you do subscribe to this, it reports after the fact – after the crook has stolen your money.

I don’t think there is an easy way out of this one, unfortunately, *IF* the attackers got millions of SF-86s.

Attackers are getting smarter and businesses in general, are not keeping pace.

If someone broke into your network and stole your equivalent of SF-86s and quietly left, would you even know?  What would the impact on your business be if you lost your customer lists, trade secrets, patent applications, business processes or other crown jewels?

Ponder that for a moment.

Leave a Reply

Your email address will not be published. Required fields are marked *